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(54) System for packet filtering of data padtets at a computer network interface 



(57) A system for screening data paci^ts transmit- 
ted between a networl^ to be protected, such as a pri- 
vate network, and another network, such as a public 
network. The system includes a dedicated computer 
with multiple (specifically, three) types of network ports: 
one connected to each of the private and public net- 
works, and one connected to a proxy network that con* 
tains a predetermined number of the hosts and 
services, some of which may mirror a subset of those 
found on the private network. Tlie proxy network is iso- 
lated from the private network, so it cannot be used as 
a jumping off point for intruders. Packets received at the 
screen (either into or out of a host in the private net- 
work) are filtered based upon their contents, state infor- 
mation and other criteria, including their source and 
destination, and actions are taken by the screen 
dependi ng upon the determinatkin of ttie f Btering phase. 
The packets may be al towed through, with or without 
alteration of their data. IP (internet protocol) address, 
etc.. or they may be dropped, with or without an error 
message generated to the sender of the packet Pack- 
ets may be sent with or without alteration to a host on 
the proxy network that performs some or all of the f unc- 
tk>ns of the intended destination host as specified by a 
given packet The passing through of packets without 
the addition of any network address pertaining to the 
screening system allows the screening system to func- 
tion without being identifiable t>y such an address, and 



therefore it is more difficult to target as an IP entity, e.g. 
by intruders. 
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Description 

Baekoround of the Iwention 

The present invention relates to saeening of data 
padcets sent froni one computer network to another. 
There are numerous ways for a user on a pidalic networtc 
to interact with a host machine on a private network, 
such as in a telnet session, an ftp (file transfer protocol) 
sesson. by email (electronic mafl). and so on. In addi- 
tion, computers on a given target network may be 
requested to carry out certain operations by users out- 
side the network, besides directly connecting the 
requester's machine. 

A conventional internetwork 10 is shown in Rgure 
1, including a private network 20, a puUto network 30* 
and another private network 40. If the private networks 
20 and 40 are not provided with firewalls, they are quite 
vulnerable to intnxim. 

Figure 3 shows an internetwork 110 where a private 
network 120 can communicate with another private net- 
work 140 via a router or bridge 120. which is controlled 
by togic (such as a circuit, or typically a processor with 
associated memory) 150 which controls network inter- 
faces 160 and 170. When a data packet arrives from 
network 140 addressed to a host and specifying a port 
on network 120. it is mapped to that host and port by 
unit 180. and transmitted via interface 160 to the appro- 
prate destination on the network 120. Figure 3 is also 
not provided with any security, and hence is available for 
targeting. 

Computer firewalls have therefore iDeen developed, 
as in the system 50 shown In Figure 2, where private 
networks 60 and 100 can communicate with one 
another via public network 80, but are provided with fire- 
walls 70 and 90, respectively. A problem with conven- 
tional conputer firewalls (and routers or bridges such as 
bridge 1 30 in Figure 3) in use today is that they partici- 
pate In IP (Internet Protocol) transactions, and in doing 
so generate information idemifying them as IP 
machines, which makes them visdsle for targeting by 
intruders. For a detailed discussion of this and other 
types of problems with firewalls, see. e.g. the reference 
FIrewalte and internet Security by Cheswick & Belkyvin 
(Addison Wesley 1994). and Internet Firewalls and Net- 
work Security by Siyan & Hare (New Riders Publishing 
1996). which are incorporated herein by reference. 

A firewall and packet filtering system should ideally 
be invisble to intruders so as to help minimize the 
number of ways in which it can be targeted, while none- 
theless filling functions that are appropriate. 

Current netuwork security solutions often involve 
modfik:ations to the networks in additkxi to the provision 
of firewalls, which can be complicated and expensive. A 
system ts needed that can t>e connected to a network 
suttstantially without altering it. txit providing security 
against breaches from outside the protected network. 

Packet filtering systems are used today to provde 
security for networks, but conventionally act as routers^ 



having one port or network interface coupled to the pro- 
tected networic and another port to another network or 
the internet. As routers, such systems are responsive to 
IP comn^nds. and in particular n»y respond to data 

5 packets by using their IP addresses. This allows intrud- 
ers to target them for characterization and attack. 

The same type of targeting may be aooonplished 
when addresses within a protected network are known 
to users outside the network. It would therefore tsy 

10 advantageous to provide a system that can respond to 
data packets from outside a network without revealing 
IP address intomoation about either the filtering system 
or about hosts within the network. 

15 Summary of the Invenlton 

The present invention is directed to a screening 
system that acts as both a firewall in the conventional 
sense and a signatureless packet filtering system. A 

so screen is posittoned on the network connection 
between, for example, a public network and a private 
network that is to be protected from targeting for attack. 
A port or network interface is provided for each of the 
two networks, and one or more additional ports are pro- 

£5 vMed to one or more proxy networks. 

The screening system includes a packet tittering 
subsystem or module, which inspects each incoming 
packet and sends it to an engine, which determines, 
based upon the packet inspector and other information. 

30 what actk)ns shoukJ be taken on the packet. The packet 
is passed to an actions subsystem or module, which 
executes the appropriate actions. 

If the packet's intended destination is a host 
machine on the private network, it may instead be sent 

35 askJe to a preconfigured host machine on the proxy net- 
worK which executes appropriate operations that the 
actual host would execute, or different operations as 
desired. The proxy host generates responses using the 
IP address of the actual host, so the existence of the 

40 proxy networi^ is not detectable. The screening system 
is not a router and hence does not have its own IP 
address, so it too cannot be detected In this manner, 
and is not sutsject to such operations as trace.route, 
ping, finger, and so on. 

45 The screening system requires no modification to 
the private or pulatic networks; instead, it can be con- 
nected in-line on the network connection, a proxy net- 
work can t>e set up with as many heels as desired, and 
security is therel^ provkied without reconfiguring the 

50 private network or altering the network softwara 

The screening system can be preconfigured to 
carry out a wide rarige of other actions on the packets, 
all sutjed to predetermined criteria, such as dropping 
them with or without an en-or message, logging them, 

55 altering them or their headers, and so on. Each of these 
and other acfkra can be carried out while maintaining 
the anonymity of the screening systent 
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Brief Description of ttie Drawings 

Figure 1 is a block diagram of a system connecting 
two computer networks via a public network. 

Figure 2 is a tAock cfiagram of a system connecting 
two computer networks via a piiblic n^work. using Inter- 
vening firewalls. 

Rgure 3 shows a conventional system Including a 
bridge between two computer networks. 

Figure 4 is a block diagram of an exemplary con- 
nection from a private network and a publk: network to 
another private networK via firewalls. 

Figure 5 is a block diagram of computer internet- 
work Including a packet screening system according to 
the invention. 

Figure 6 is a functional block diagram of a packet 
screening system of the invention on an internetwork. 

Figure 7 is a block diagram of an alternative embod* 
iment of the packet screening system of the invention. 

Figure 8 is a block diagram of hardware for imple- 
menting the invention. 

Figure 8A is a diagram of another embodiment of 
the invention. 

Figure 9 is functional block diagram of the invention. 

Figures 10-11 are flow charts of the method of 
packet screening according to a prefetred embodiment 
of the invention. 

PegqiptionQf . the Preferred Embodimgnts 

77?e HardwarB of the Invention 

Rgure 4 shows an internetwork system appropriate 
for implementation of the present inventk>n. A piMic 
network 200 (or network of networks, such as the Inter- 
net) can communrcate with a private networic or inter- 
network 210. which includes by way of example an 
engineering domain network 220 and a corpaate 
domain network 230. A conventional f irewaii 240 is posi- 
tioned as shown between the network 220 and the net- 
works 230 and 200. Note that the firewall may. as 
illustrated, be positioned between a given private net- 
work (220) and a public network (200), and also 
between the private network 200 and other networks 
(such as 210) which on its own private internetwork. 
The networidng hardware and software can be any suit- 
able conventional networking system, such as Ethernet. 

Firewall 240 may be configured as a single rr»chine 
or as separate machines, one handling the incoming 
data packets and the oifier handling the outgoing data 
packets from network 220, as desired by the imple- 
menter. In addition, another firewall specVlcally for the 
corporate domain network 230 would normally be used, 
but is not illustrated in this figure. 

Any data packets transmitted from either of the net- 
works 200 or 230 travel via connections 300 or 280 to 
the firewall 240. whk^h may t>e conventional except in 
the respects noted below. Firewall 240 passes allowed 
data packets via connection 250 to the network 220. 



Likewise, data packets from network 220 
addressed to destinations within network 200 or net- 
work 230 are transmitted over connection 270 to the 
firewall 240. which passes packets as requested, sub- 
5 ject to its security provisions, via connectkxi 310 (if to 
network 200) or connection 290 (if to network 230). 
Connections 250 and 270-310 may all be conventional 
network connections, tor example catties, fiber optics* or 
the like. 

10 Figure 5 is a logical bk>ck diagram of a packet 
screening system 340 of the invenlk>n that can be 
implemented in an internetwork system 320 - which 
may alternatively be an internetvwork such as ttiat shown 
In Figure 4: thus» firewall 240 may be replaced by the 

15 6creenir>g system 340. which is configured to handle all 
of the conventional firewall furKtions plus the screening 
fiinctk)ns described below. 

In Figure 5. a single private network 330 is shown 
coupled via a standard network interface 410 to the 

20 packet screening system (or sinrply "screen") 340. In 
addition, publk: network 350 is coupled to the screen 
340 via another standard network interface 425. A third 
network, proxy network 430, is coupled to the screen 
340 via network interface 420. 

ss Using firewall connections such as those in Figures 
4 and 5. any number N of private networks (which In this 
case may be considered to include the proxy networtt) 
may be coupled via multiple screens 340 of the inven- 
tk>n to one another and to any desired number M of pub- 

30 lie n^works. Thus, an N x M screening system may be 
formed; in the exanrple of Figure 5, N s 2 and M s 1. 
See also the discussion betow of Figure 8. 

It is equally possitDle to build a system of the inven- 
tion without the proxy network, where N « M = 1 , arKi 

36 where data packets would be passed through without 
alteration of the IP address in one or both directions, or 
with some alteration but without adding any IP or other 
network address of the screening system itself. Such a 
system is de5crit>ed below in connection with Figure 8A. 

40 Figure 6 shows greater detail of the screen 340. 
whtoh may be a uni- or muHiprocessor-based system; In 
this embodiment a single processor 390 is shown, cou- 
pled to one or more conventional memories (for exam- 
ple, RAM, ROM, EPROM. disk storage, etc.) 400. whrch 

45 store(s) the instructions necessary to execute the oper- 
atfons carried out by the invention. The network inter- 
faces 410-425 are controlled by the processor 390 in 
conventional fashk}n. 

The private network will typically include many dif- 

60 ferent hosts: examples are a mail host 360; an ftp pe 
transfer protoooQ host 370 fbr governing ftp connec- 
tions: and other hosts 380 for other services, such as a 
WWW (WorU-Wde Web) server, hosts for riogin 
(renK>te login) and rshell, and so on. 

55 The proxy network 430 includes proxy (or virtual) 
hosts 435, which preferably are s^sarate conputer sys- 
tems. In the prefened emtxxfiment. the proxy network 
430 includes a virtual host rrin-oring (or acting as proxy 
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for) each of a subset (or alQ of the hosts found on the 
private net>Mork 330. in a manner to be described below. 

Such virtual hosts in the embodiment shown 
include a proxy mail server 440, a proxy ftp server 450. 
and other virtual hosts 460. wvth a virtual (proxy) host for 
each actual host desired to be duplicated - which ray 
include some or all of the actual hosts. The proxy hosts 
are "Virtual" in the sense that they are not the actual tar- 
geted hosts 3G0-380. t»Jt rather rramcc the behavior of 
the those hosts; but they do represent actual hardware 
and/or software in the proxy netv^dc 

Hosts may also be included that are unique to the 
proxy network. For Instance, the proxy networt(430 may 
include a WWW server 445 wNch Is unique to the proxy 
server, i.e. is not merely a mirror or proxy for a WWW 
server within the network 330. In this case, when a user 
from network 350 requests a conrtection to 
http-yAwww. {private, network loom, he^e win be con- 
nected to WWW server 445. Other servers 455 unique 
to the proxy network 430 rray also t>e provided. 

A proxy network may thus include proxy hosts rep- 
resenting actual hosts, and/or proxy hosts with unique 
senrers. in any combination (zero to several of each). 
Whichever configuration is adopted, the private network 
330 and the proxy network 430 together form a single 
logical or af^)arent network 345. i.e. a single as^parent 
domain from the point of view of outskiers, such as 
users on the putjiic network 350. so that when a user 
attempts to aceess a service or host of the private net- 
work, the request may be shunted aside to the proxy 
network to either a minorlrtg proxy host or a unique 
proxy host, without any indk;ation being given to the 
user that this has occunred. (Note that *lproxy host" ray 
mean that it is a proxy for an actual host or may mean 
that it is a host on the proxy network, albeit a unique 
host.) 

t^igure 7 shows an alternate embocfiment of the 
system of the invention, namely a system 325 wherein 
the proxy network 430 is implemented entirely in pro- 
gram instructions stored in the memory 400 of the 
screen 340, or as additional processor(&} and m6mory(- 
ies) controlled by program instructions stored In one or 
more of the memories. In this case, tiie screen 340 and 
proxy network 430 shown in Rgure 6 constitute sepa- 
rate logical entities, but not separate physical entities 
(except to the extent that the instructions, data, com- 
mands, signals, etc. are themselves separate physical 
entities). That is, the screen 340 and proxy network may 
be a single unit. In this embodiment, the proxy hosts 
360-380 are emulat«l by the program instructfons. so 
that all of ttie t>ehavior of any of the actual hosts ray be 
mimicked by a virtual proxy host modulei The rerainder 
of the present disclosure is with reference to Figures 5- 
6. but should be understood as applk»Ue as wet) to the 
emljodiment of Figure 7. 

Figure 8 is a block diagram of the tmrdware for 
implementing the system of the invention, showing addi- 
tional detail of the screen 340 over that ^lown in Fig- 
ures 5-6. Uke-numbered elements in the drawings are 



alike: «> it will be seen XtwA Rgure 8 additiorally shows 
oonventioral (fisk stores 500, and I/O (input/butput) 
devices 510 such as a snmrt caid. keytsoard. mouse, 
monitor, and/or other standard I/O devices are provided. 

5 as well as other desred conventional storage or mem- 
ory 520. The instructions or program modules stored in 
memory 400 control the operation of the screen 340. 

In one entedment, the screen does not provide 
conventiortal user-level access, e.g. does not include 

10 tiie standard keyboard and monitor. This is a security 
feature to prevent meddling with the screen's configura- 
tion. In such an embodiment the saeen is adnrdnistered 
remotely through a d^lcated network port with a secret 
IP (or other protocoQ address that responds only to 

15 communications that are authenticated, encrypted and 
conforming to a dedicated, special-purpose administra- 
tfon protocol. Such a protocol, and the encryption and 
authentication schemes used, may be developed artd/or 
selected by the screen adnrtirostrator. 

eo As shown in Figure 8. the screen 340 may include, 
instead of a single port 425 (as in Rgure 5) connected 
to a public network, multiple ports 427 ntay be provided 
and are connected to multiple puk>lic networks, respec- 
tively, and ray include one or more adkiitfonal ports 415 

25 connected to other private networi<(6) 335. For instanoa. 
a private network 335 may be an engineering dorain 
eng.sun.oom in a company, while the private networic 
330 nnay be a corporate domain corp.sun.com within 
the san^ company. The eng.sun.com and 

so corp.sun.oom dorains rrmy communicate with one 
another (if desired, through an additional screen of ttie 
invention or a conventional firewall, not shown) via con- 
nection 337, and form a single private internetwork 355. 
while both these donralns are protected against intru- 

35 slons from public network(8) 350 by the screening sys- 
tem 340. The proxy network 430 in this emkMdiment 
includes proxies for both the eng.suacom and 
oorp.sun.oom. dorains. 

Thus, although in the rerainder of the present dis- 

40 cussion it is assumed ttiat the communications in ques- 
tion are t>etween a single pM\c network 350 and a 
single private network 330. the features ol the Inventfon 
may equally well applied to multiple private networks 
330. 335 connected via the screen 340 to multiple pUb- 

45 lie networks 350. 

In the system 530 shown in Rgure 6A. a private 
network 540 is provided with a screening system 540 
accoidir^ to the invention, but without the proxy net- 
work In this and the other embodiments, data packets 

so are transmitted in either dlr^tion without alteratton of 
their IP addresses, or altematively with some alteration 
but without adding any IP or other n^ork address of 
the screening system itself. The dedsksn to alter 
addresses or not can be made on a packet-by-packet 

55 t>asis according to the predetermined criteria 

In the system of the invention (including any of the 
embodiments of 5-9). the source and destination 
addresses that are provkied with ttie packet would ttms 
rentain (whether altered or not) the sole host Identifiers 



4 



BNSDOCtO: <EP ^0743777Aa.L> 



7 

or addresses associated with the packet In an alterna- 
tive to this embodiment, the screening system can sub- 
stitute another network address for either the source 
address or the destination address (or bolh), where the 
newty substituted address is either bogus or belongs to 5 
a host other than the screening system. In either case, 
no network address pertaining to the screening aystem 
attaches to a data packet. 

As indicated above, the saeening system prefera- 
l3ly does not even have an IP or other network address, 10 
and while it can interpret IP protocol, it is configured not 
to respond to IP requests. Thus, the screening aystem 
avoids detectton and hence targeting by Intruders. 

The operation of the system of F^ure 5-6 wiH be 
discussed in detail below in connection with Figures 9- is 
11, but should be understood as to apply to the other 
embodiments of the invention. Each of the operations, 
actions or functions to be executed by the system of the 
invention, as discussed above and hereirsifter. may be 
irnplemented as program instructions or nrodules, hard- so 
ware (ag. ASICs or other circuitry, ROMs. etc.). or 
some combination thereof. 

General Handling of Data Packets 

25 

tn Figure 6, when a data packet arrives from the 
public network 350 addressed to one of the hosts or 
servers 360-380, it is intercepted tjy the screen 340. 
Such a packet typically will include a source address, a 
destination address, a requested operation and/or serv- so 
ice. and other information, such as a message (if it's 
email), data to be operated on. and so on. 

The screen 340 includes instructions stored In 
memory 400 governing its control of actions to be taken 
on the Nicoming (and outgoing) data packets. These ss 
instructions include a predetermined set of criteria 
based upon the aforementioned contents of the data 
packets (source and destinatioi addresses, type of 
service, or other information obtainable from the data 
packets), and based upon other intbrmation, such as: ^ 
the time of day the packet was sent or is received by the 
screen; the state of the connection between the public 
and private networks (or the state of the connection to a 
particular host or service in the private network); and 
more obliquely obtainable information, such as whether 45 
the source address emanates from an expected 
(inter)n8twork location. This may be done by determin- 
ing whether the source host is in the expected domain, 
or it may be done by determining whether the packet 
arrives at a network Interface expected for that packet so 
For instance, a packet whose source address is identi- 
fied as a host on private network 330 shouki not arrive 
at network interface 425 (in Figure 6) for the public net- 
work 350; if it does, this is an indicatk)n that an intruder 
nr^ay be attempting to t>reach the private network by bs 
masquerading as a trusted host. In this case, the screen 
340 should drop the packet without reply. 

Such saeening aiteria csn be implemented by 
inspecting the contents of the data packets, by refer- 
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ence to external data (such as connection status and 
time of day), and by reference to predefined tables or 
other information useful to implement the criteria and 
stored in the memory 400. For instance, a table may be 
provKled of all source addresses allowed to communi- 
cate with the network 330 correlated with the types of 
operatfons and services they are allowed to use. the 
times of day they are allowed to be connected or to pass 
packets, the expected locatfons for the sources (since a 
connection from an unexpected source may indicate a 
security problem), the number of times a source is 
allowed to commence a transaction, the total amount of 
time (e.g. per day or month) that a particular source is 
alk»wed to use services of the network 330, and so on. 

The application of the screening criteria lead the 
screen 340 to take one or several predefined actions on 
each data packet; these actfons are discussed below. 

Actions To Be Taken on Packets 

Actions are taken on each data packet by the 
screening system 340. based upon the foregoing crite- 
ria and the particular security protocol and level for that 
packet as determined in advance by the system admin- 
istrator. For instance, it may be decided that no packets 
from (a to) any source that is not cleared In advance 
will be allowed in; in this case, packets from (or to) any 
other source will be dropped by the screen 340 without 
further action, either with or without an error message or 
other communicatkni back to the sender; the sender will 
have no indication of what has happened to the packet, 
and there will be no IxHJnce* message. 

This helps prevent attacks on the system. For 
instance, if a trace.route packet Is received, instead of 
following the normal IP procedure of responding to the 
packet the screen of the invention simply discards it, 
and the initiator of the trace.route command cannot in 
this way detect the screen. 

Topology hiding, i.e. changing the network address 
of the packet as it passes through the screen, can be 
done so that It appears that all the packets issuing from 
the screen come from the same host, even though they 
are coming from a multiplicity of sources. This inhibits 
outsiders attempting to leverage off the knowledge they 
may gain by leaning userid*s. host names, etc. within 
the private network. 

Another action can, of course, be to simply pass the 
packet through to its destinatfon. with or without some 
alteration based upon predetermined criteria. For 
instance, it may be decided in advance that all packets 
from a given hisst inside private network 330 will have 
the userkf or host ID stripped off, and the packet may be 
passed tfirough with some other IP source address. 

Encryptfon and decryption may also automatically 
be executed on certain data packets, with the criteria 
defined by the system administrator. Along wHh this It 
may be desiralsle to encapsulate a packet and give it a 
new header with a new IP address, as described for 
instance in applicanfe copending U.S. patent applica- 
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tion entitled "System tor S^natureless Trananission 
and Reckon of Data Packets Between Computer Net- 
works" by Aziz et al.. Seriai No. 08/306.337 filed Sep- 
tOTber 15, 1994, which is tneorporated herein by 
reference. 

Packets will normally be togged in the log file stor- 
age 640 (especially failed attempts or requests), includ- 
ing whatever infbmatton the system admintstrator 
decMes is important, such as: time of ctoy: source and 
destination addresses: requested operation(s); other 
actions ^en with respect to each packet; number of 
requests to date from this source; and so on. 

Packets may also be coumed, so a running total of 
the ruimber processed In a certain time pertod Is kept. 

Address rewriting is mentioned above; other con* 
tents of fhe packet rmy also be autonraticany be rewrit- 
ten by preddined actions, including rewriting or 
ottierwise altering data or messages c€mried by packets. 

State information about the packets can also be 
determined, logged if desired, and altered by actions 
For instarKe, TCP/IP (transmission control proto- 
col/internet protocol) statijs can t>e affected as desired 
to establish, maintain or end a connection. In general, 
the screen can store information about what state each 
packet is in, and take actions dependent upon that 
state, including maintaining infbrmatkNi about which 
packet was the initial request which is the response, 
and so on; so prior events nrmy have to be stored for 
some time, but in this case the ^reen can determine 
the entire history of a series of transactions and take 
appropriate actkins at each time. 

An important action for security purposes is that of 
sending packets aside to the proxy network 430, which 
includes servers/hosts as discussed akiove that execute 
operations upon the padcets as if the proscy hosts were 
the actual. Intended destination senders. \Jpon execu- 
tion of such operations, a proxy host may then return a 
given packet to the sender, i.a send the packet off with 
the original sender's address as the destination. That 
packet will then go tiirough the saeen 340. which will 
subject it to the predetermined in^^ection criteria, jist 
as when it was first received at the 8cre«i from, for 
instance, public network 350. The criteria will typically 
have different results for packets emanating from the 
proxy network 430 or the private network 330; fbr 
instance. It may be decided that no hosts outside the 
pi^ic network may institute telnet sessk>ns to the pri- 
vate network, but that hosts Inside the private network 
may institute telnet sessions to hosts outskJe tiie private 
network. 

The fact that the screening system has no network 
address (IP or otherwise) enat>le& it to can-y out its 
security functions anonyntously; notakaty. it does not act 
as a oorrventional network bridge. If fhe screen 340 pro- 
vided the functions of a bridge, it would have to re^»ond 
to IP commands, and hence would be detectatsSe and 
targetable. 

The proxy network has the additional advantage of 
preventing outsiders from ever actually entering the pri- 



vate network 330; once a user has been allowed access 
or a connection to a private network it is much more dtf- 
f tcuit to restrict his/her actions than if no access at all 
allowed. By provided dup&cate or mirrored proxy furK- 

5 tionality (tf some of the services of the private network in 
the proxy networt^ and/or functionality of unique host or 
other services (fnudware and/or software) In the proxy 
network, the outscde user's requests are met while invis- 
ibly preventing him^er from ever actually accessing the 

10 private network. 

In addition, it nrmy be decided that no such sessiors 
may be instituted at all from within the proxy network, 
which m3ght compromise security of the private net- 
work since pac^ts from the proxy network in general 

IS will ottienmse have lower hurdles to overcome to he 
retransmitted by the screen, since they wiO be more 
**trusted'' t>y the system. Allowing the proxy network to 
initiate TCP sessions might allow a Intruder from out- 
dde the system to effectively k>ypa88 the firewall secu- 

so rity if he/she can f^re out how to cause the proxy 
networi< to institute a TCP session instead of having to 
do so from the pi&>rtc network. 

It may be desirable to allow certain connections to 
be estabfish^ from the private network to the public 

2S networK but not vice versa. Fdr instance, TCP sessions 
(such as telnet or ftp) nroy be initiated by a user within 
the private network 330 to the public network 350. while 
bSocked from any public network machine to the private 
network. 

50 In general, all actions taken by the proxy network 
will pass the packets without identifying the proxy net- 
work or any host in it as a separate IP entity. Thus, tiie 
packets will, upon being passed or returned after 
processing, either appear actually to have been proc- 

3S essed by the specified destination host (when in fatit the 
proxy host has handled it), or they will be processed to 
rentove, alter, or otherwise obscure the destination 
address (which is the source address for return pack- 
ets). In either case, no IP address for the proxy host 

40 exists, artd none is appended to any packets. 

Functtonai Architacture o/ the Screening System 

Figure 9 is a functional btock diagram oorrespond- 
45 ing to Figure 8. but showing the functional modules that 
are used by the screen 340. In the preferred emtx)di- 
ment these modules are, as indicated al}ove, program 
instruction nriodules stored in memory 400 and exe- 
cuted by processor 390. 
so The modules shown in Rgure 9 include a packet 
irspector 600 with a process 602-606 fbr each of tiie 
network interfiaces 410-425; an engine 610 witii rules 
620; actions 630 and a log fBe storage 640; a packet 
state tat>le 650. which is a conventional ba^ table; a 
55 cache fragmentation module 670 (along with a fragmen- 
tation byp^s as shown); a packet fragmentor 660 cou- 
pled to each of the network interfaces 410-425; and a 
learning bridge tatde 680. The connections shown in 
Rgure 9 refer to togical (software) instructions or hard- 
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ware instructions or both, depending upon the particular 
physical implementation of the invention. 

The pacKet inspector 600 includes the instructions 
for inspecting the contents of the incoming packets 
based upon the criteria discussed above. That is, each s 
incoming data packet, wherever it comes from, is sub- 
jected to packet inspection by the packet inspector 600. 

The engine 610 processes incoming packets, and 
passes them to the actk>ns 630 to execute the appropri- 
ate operations on the packets, as discussed above. The 
actions modules 630 are the modules dedicated to per- 
forming these operations. 

The log file storage 640 Is used to store Information 
about the data packets received at the saeen 340, as 
discussed above. The packet state table 650 is similarly 
used to store information about states of the received 
packets. 

The frag mentor 660 operates in a conventional 
manner to fragment packets that are larger than a pre- 
defined maximum transmission unit (MTU). This may 
occur, for instance, where the screen adds information 
to a packet so as to increase its size past this alkiwable 
maximum. A fragmentation cache 670 is used in con- 
ventional fashion to implement fragmentation and 
reconstruction of packets. Fragmentation packets typi- 
cally indude primarily or only an IP header information 
and data (in particular, no port number is included), and 
the screen 340 will rebuild the packets as necessary, 
using the fragmentation cache. That is. the first frag- 
mented packet is stored in the fragmentation cache, as 
are subsequent fragments, until the last fragmented 
packet is received, and the packet is then recorv- 
siructed. 

The fragmentation bypass 675 is used by the 
packet inspector to bypass the engine op>eration for 
fragmented packets for wNch information is found in the 
fragmentation cache 670. Thus, when fragmented pack- 
ets that second or later in the series of fragmented 
packets are received, this is detected when the packet 
inspector 600 checks the fragmentation cache 670. In 
such a case, the newly received fragmentation packet is 
sent via bypass 675 to the actions 630. rather than via 
the engine 610. 

The learning bridge table 680 allows the screen 340 
to act as a conventional learning bridge, i.e. fo keep 
track of which hosts are on which side of the screen, 
and maintain tat^es of this information as packets arrive 
from one host or another at each of the screen^ ports 
(network interfaces). 

Operation of the Screening System 

Rgures 10-11 are flow charts showing a preferred 
embodiment of the method of the invention. When a 
packet is serrt by a host oa for instance, public network 
350. it is received at port finterface) 425 of the screen 
340. See box 800 in Rgure 10. The packet inspector 
inspects the contents of the packet as described above 
(box 810). 



If the packet is to t» rejected, it is efficient to do this 
by using ttie learning brkfoe table (of source addresses) 
680. 

One embodiment suitable for implementing packet 
inspection is shown in the ffow chart of Figure 11. 
though n^ny variations are possible. In this exemplary 
flow chEirt, upon receipt of the packet (box 900), each of 
the packet headers is inspected in order (box 910). i.e. 
the physical link (such as IP); tiie IP header Os it TCP?): 
the TCP header (as to which port is designated and 
whetiier it's an existing or a new connection) ; and so on. 

At box 920 and 940. negative determinations lead 
to box 930 for appropriate actions; positive detennina- 
tions lead to box 950, where the designated port is 
detemined. and then to box 960, where it is determined 
whether this particular connection is allowed, taking into 
account the information that tiie packet inspector has at 
its disposal. Including the header information and also 
the packet contents, source, destination and the other 
information mentioned akxive. 

H the connection is not allowed, it is t>locked (box 
970), but othenMse it is allowed, and then the method 
tests whether it is an initial connection (box 980) - if so. 
then at box 990 the connection is esUdt)li8hed. and at 
box 995 information is stored in the state table 650 (see 
Rgure 9) to foentify the new connection. If not. then the 
connection is checked at box 1010. and any update 
information (e.g. new information about the connection) 
is stored in table 650. 

From either step 990 or 1020. tiie metiiod proceeds 
to box 1000, i.e. returns to box 810 in Figure 10. 

It will be appreciated as mentioned that Figure 1 1 is 
but one embodiment of myriad possible sequences of 
tests and operations that may be carried out in the 
packet inspection phase. The operations executed of 
Figure 1 1 may be canied out by the engine 600 based 
upon the results of the packet inspection (e.g. at boxes 
920, 940. 960 and 980). 

Proceeding to box 820 in Figure 10. the packet is 
passed to the engine 610. which executes the appropri- 
ate predefined operations discussed above, lypically. 
for f irewall/saeen 340 this will involve blocking or pass- 
ing ttie packets, where if they are passed they may be 
turned aside to be operated upon k>y a proxy host in the 
proxy network 430. 

The current packet is thus passed to tiie actions 
module 630 for execution of the appropriate actions 
(t)ox 830), and at box 840 the engine determines 
whether there are additional actions to be taken, based 
Mpon the packet inspector results and its own determi- 
nation of wfitch actions were appropriate to take. On the 
first pass through fbr a given packet, there will be at 
least one action to take (even if it is oniy one action, e.g. 
to drop the packet without further action); so the first 
time through, box 840 will lead to box 850. where the 
first action is taken. 

The method then proceeds back to box. 830, and 
this loop is completed until all actions determined ti^e 
engine have been taken by tiie actions modula At this 
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point, box 840 leads to box 860. where the screen 340 
determines whether there another packet at one of its 
Input ports (network interfaces). If so. the method 
begins anew at box 800. and if not, then the method 
ends at box 870. It may recommenoe any time a new 
packet is received. 

Claims 

1. A method for screening data packets arriving at a 
screening system connected between a first com> 
puter network and a second conputer network and 
for executing actions In a proxy system connected 
to the screening system, including the steps of: 

(1) receiving a first saxJ packet directed from 
the first network to the second network as a 
current packet; 

(2) determining from contents of the current 
padcat w/hether the current packet is of a pre- 
determined type for being alk>wed to pass to 
the second netwoik; 

(3) if the determination of step 2 Is positive, 
then determining a destination address within 
the second network as specified by the current 
packet* and passing the current packet to an 
ersatz address sut>stituting for said destinatk>n 
address, the ersatz address resting in the 
proxy system; 

(4) determining whether at least one action 
requested by the current packet is of a type 
predetermined to be allowed, and if not then 
rejecting the current packet and proceeding to 
step 6, and if so than proceeding to step 5 ; 

(5) taidng the action specified by the current 
packet in at least one of the screening system 
and the proxy system; 

(6) determining whether another packet has 
arrived at the screening system, and if so then 
receiving that packet as the current packet and 
proceeding to step 1 , and if noithen ending the 
method. 

2. The method of daim 1 , including, in step 5, the step 
of transmitting a response data pactot from the 
proxy system to the first netwvork using at least a 
portkm of said destination address as the sole Men- 
tifierof the locatk)n of execution of the action. 

3. The method of claim 1, wherein the determination 
. of step 4 is based upon at least one of the current 

packers source address, destination address, 
source port destination port, requested action and 
state of connection. 

4. A screening system connected to a first computer 
network and a second computer network for 
screening data packets transmitted t>etween the 
first and second ne^rks. including: 
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a processor; 

a memory coupled to the processor; 
input and output circuits lor transmitting and 
receiving data packets to and from, respec- 
5 lively, sad first and second networks; and 

program tatructions stored in said memory for 
controlling flow of data packets between the 
first and aaoond networks, including: 

10 a first program module for determining 

whether a first cteta packet transmitted 
from the first network to the second net- 
work meets predetermined criteria; 
a second program module for passing the 

16 first data packet to the second network if 

the predetermined criteria are met 
a third program module for preventing pas- 
sage of the first data packet to the second 
network, if the predetermined criteria are 

so not met 

5. The system of daim 4. where the third program 
module prevents passage of the first data packet 
without sending a resporve to the first network. 

26 

6. A method for screening data packets an-iving at a 
screening system connected between a first com- 
puter network and a second computer network and 
for executing actions in a proxy system connected 

30 to the screening system, induding the steps of: 

(1) receiving a first said packet from the first 
network at the second network as a current 
packet: 

35 (2) determining from contents of the first data 

packet a requested operation, a source 
address and a destination address for the first 
data packet; 

(3) determining, based upon at least one pre- 
40 determined criterion, an action to be taken in 

response to the requested operation; 

(4) passing the currem packet to a proxy host 
suk)8tituting for said de8tinatk)n address, the 
proxy host residing in the proxy system; and 

45 (5) in the proxy system, taking the determined 

action. 

7. The method of claim 6, where the predetermined 
criterion is at least one of the source address, des- 

so tination address, source port and destination port 
for the first data packet. 

8. The method of daim 6. wherein the predetermined 
criterion is the type of the requested operatkxi. 

55 

9. The method of daim 6. wherein the predeternrined 
criterion is a state of the connection between a 
source in the first network and a destinatkMi in tfie 
screening system. 
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10. The method of daim 6. wherein the predetermined 
criterion is the tinne of day at which the operation is 
requested. 

1 1. The method of claim 6. wherein the predetenmlned 
criterion is whether the source is at an eiqpected 
internetwork location. 



1 2. A proxy system coupled to a screening system con- 
nected between a first computer network and a sec- io 
ond computer network for screening data packets 
sent from saki first network to saki second neiworK 

at least one saM data packet indudtng a first fleM 
specifying an Intended recipient system for the data 
packet and further including a second field specify- 75 
Ing a requested operatkm for said intended recipi- 
ent system to execute, the proxy system including: 

a processor; 

a memory connected to eaid processor conf ig- so 
ured for storing instruction modules specifying 
operations to be »«cuted by said processor; 
a plurality of acton modules stored in saki 
memory including instructions specifying a pre- 
determined set of actions to k>e taken with 25 
respect to at least a first said data packet 
received at said screening system, based upon 
predetermined criteria with respect to oontents 
of said first data packet: 

a screening module including instructions for so 
the screening system to t3k>ck passage of sakj 
first data packet to said second computer net- 
work; and 

an operation module controlling said plurality of 
action modules to select one of sakJ actions to 35 
be taken by said proxy system processor in lieu 
of saki requested operation. 

13. A method for inhibiting targeting of a screening sys- 
tem coupled between a first computer network and 40 
a second computer network, including the steps of: 

receiving at the screening system at least one 
data packet directed from the first network to 
the second networl^ the data packet including 43 
a source address k^entifying the first network 
and a destinatk>n address identifying the sec- 
ond network; 

inspecting the packet based upon a predeter- 
mined criterion; so 
if the predetermined criterion is met. passing 
the packet through to the second network with 
the source and destination addresses unal- 
tered: and 

if the predetermined criterion is not met. then 65 
discarding the packet while preventing any 
response by the screening system to the first 
networti. 



14. A protection system for inhtoiting targeting of a 
screening system coupled between a first computer 
network and a second computer network, the 
screening system including a processor, a menwy 
coupled to the processor arxi storing Instruction 
modules executable by the processor, a first net- 
work interface coupling the screening system to the 
first network and a second n^work interface cou- 
pling the screening system to the second network, 
the protection system including: 

a first said modide configured for receiving at 
least one data packet directed from the first 
network to the second network, the data packet 
including a source address kientifying the first 
network and a destination address kientifying 
the second network; 

a second saki module configured for inspecting 
the packet based upon a predetermined crite- 
rion; 

a third said module configured for passing the 
packet through to the second network with the 
source and destination addresses unaltered, if 
the predetermined criterion is met; 
a third saki module configured for discarding 
the packet while preventing any response by 
the screening system to the first network, if the 
predetermined aiterion is not met. 

15. A system for Inhibiting targeting ot a first computer 
network, including: 

a saeening system coupled between the first 
computer network and a second computer net- 
work, the screening system Including a proces- 
sor, a first networi< interface coupling the 
screening system to the first network, and a 
second network interface coupling the screen- 
ing system to the second network; and 
a proxy network coupled to the screening sys- 
tem via a third network Interface and including 
at least one proxy host having an internetwork 
address wKh a domain in common with the f list 
computer network; 

the screening system further including a mem- 
ory coupled to the processor, the memory stor- 
ing instruction nxxiutes executable by the 
processor, the modules including: 



a first said module for receiving a 
packet via saki first netwvork interface, the 
data packet including a destination 
address including saki domain; and 
a second said module for passing the 
packet to said proxy host if said destination 
address pertains to said proxy host. 

16. The system of claim 1 5. wherein said proxy host Is 
a mirror of a host within said first n^work 
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17. The system of claim 15. wherein said proxy host is 
a host unique to said proxy network. 
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(57) A system for screening data packets transmit- 
ted between a network to be protected, such as a private 
networic, and another networic, such as a public network. 
The system includes a dedicated computer with multiple 
(specifically* three) types of networic ports: one connect- 
ed to each of the private and public networi(s, and one 
connected to a proxy network that contains a predeter- 
mined number of the hosts and services, some of which 
may mirror a subset of those found on the private net- 
work. The proxy network is isolated from the private net- 
work, so it cannot be used as a jumping off point for in- 
truders. Packets received at the screen (either into or 
out of a host in the private network) are filtered based 
upon their contents, state infomiation and other criteria, 
including their source and destination, and actions are 



taken by the screen depending upon the detenni nation 
of the filtering phase. The packets may be allowed 
through, with or v^thout alteration of their data. IP (Inter- 
net protocol) address, etc., or they may t>e dropped, with 
or without an error message generated to the sender of 
the packet. Packets may be sent with or without altera- 
tion to a host on the proxy networi( that performs some 
or all of the functions of the intended destination host as 
specified by a given packet. The passing through of 
packets without the addition of any network address per- 
taining to the screening system allows the screening 
system to function without being identifiable by such an 
address, and therefore it is nr>ore difficult to target as an 
IP entity, e.g. by intruders. 
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